Hack The Army 3.0 furthers innovative bug bounty program to defend networks, data

Photo By William Roche | Hack The Army logo read more read more

Photo By William Roche | Hack The Army logo  see less | View Image Page

UNITED STATES

11.09.2020

Courtesy Story

U.S. Army Cyber Command

✔ ✗ Subscribe

8

THE FACTS: HACK THE ARMY

Hack The Army is a “bug bounty” program that builds on the efforts of Army and Department of Defense security professionals in safeguarding DoD and Army networks, systems and data.

The Army’s program began in late 2016, following the successful launch of DoD’s flagship Hack the Pentagon bug bounty initiative facilitated by the Defense Digital Service (DDS) earlier that year. DDS created Hack The Pentagon to help DoD and the military services run assessments on sensitive digital assets. With oversight from DDS’s Hack the Pentagon team, DoD has now executed 14 public bounties on external-facing websites and applications, and 10 private bounties on a range of sensitive, internal DoD systems. Examples of past private bounties include logistics systems, physical hardware, and personnel systems.

The bug bounties aim to evolve the security of DoD and Army networks, systems and data by allowing skilled civilian and military security researchers -- commonly known as hackers -- to perform specific techniques against select public-facing websites, to find vulnerabilities in those sites. Civilian hackers who discover and successfully report vulnerabilities can potentially earn cash rewards.

The first iteration of Hack The Army attracted 371 “white hat” hackers – including 25 government employees, of which 17 were uniformed military personnel -- to a two-month challenge. The event produced 416 reports that yielded 118 valid vulnerabilities, and civilian hackers were awarded about $100,000 for their discoveries. That success was followed by Hack The Army 2.0 in late 2019, during which 52 hackers from six countries found 146 valid vulnerabilities on publicly accessible Army websites in just over a month and civilian hackers earned a total of $275,000.

Hack The Army 3.0 is set to begin. This third iteration, a collaboration between U.S. Army Cyber Command (ARCYBER), DDS, and the Army Network Enterprise Technology Command, will begin with participant registration and administration, followed by the active hacking phase

that is scheduled to begin Dec. 14, 2020 and last until Jan. 28, 2021 or until funds are exhausted. ARCYBER officials are hoping to increase participation by military members, and are looking at ways to conduct more frequent bug bounty programs in the future.

How do DoD bug bounties and Hack The Army work?

DDS works with the agencies whose digital assets are being examined and a trusted private sector partner to recruit highly skilled researchers to conduct crowdsourced penetration tests. These registered participants are given legal consent to hack a variety of DoD assets to uncover and help fix vulnerabilities. All DoD bounties require these researchers to undergo background checks. Private bounties, or those testing internal systems, require background checks and citizenship verification before researchers gain privileged access to DoD systems and information. Most private bounties mandate the use of a virtual private network (VPN) to monitor and log researcher activity for system owner transparency and deconfliction.

During Hack The Army 2.0 hackers were asked to look at more than 60 items, such as the Arlington National Cemetery website and the army.mil domain. Hack The Army 3.0 will offer a dozen explicit domain targets of specific Army interest, as well as sign-on/authentication services and Army-owned VPNs. During the third iteration the entire *.army.mil domain can be targeted by participants as well, but rewards will be paid only for discovering certain categories of vulnerabilities.

The bounties offer both military and civilian participants a unique way to serve their country, while providing an innovative and effective means of “crowdsourcing” security solutions more quickly and economically than by developing similar solutions through more traditional methods.

How can I find information on participating in Hack The Army 3.0?

Eligible trusted, properly registered U.S. and foreign national researchers will be invited to participate in Hack The Army 3.0. Once again the HackerOne vulnerability coordination and bug bounty platform will facilitate the program. U.S. military and government civilian personnel interested in participating can get information and apply at https://www.hackerone.com/dds-apply.

----------

ABOUT US: U.S. Army Cyber Command integrates and conducts cyberspace, electronic warfare, and information operations, ensuring decision dominance and freedom of action for friendly forces in and through the cyber domain and the information environment, while denying the same to our advers

Interested in becoming an Army cyber Soldier or civilian employee? Check out the career links at www.arcyber.army.mil